The reason why Microsoft is talking about this is because they haven't patched their browser (yet). (Edit: Recent versions of Edge and IE 10/11 have addressed this issue.) Mozilla considers this to be a vulnerability in the json specification and therefore they patched it in Firefox 3. For the record I completely agree with Mozilla, and its unfortunate but each web app developer is going to have to defend them selves against this very obscure vulnerability.

The browser (or some browsers) use that constructor for [n, n, n] array notation. A CSRF attack can therefore exploit your open session with your bank, hit a known JSON URL with a <script> tag to fetch it, and then poof you are owned.

I don't get this - moving the array in the JSON down into a property wouldn't stop this type of attack. Returning {"d":[1,2,3]} would be just as susceptible as returning [1,2,3].
– Peter BaileyAug 17 '10 at 15:42

I agree - that's what I meant when I said the problem isn't just about Arrays.
– PointyAug 17 '10 at 18:23

36

Not true. A { at the beginning of a line in JavaScript is interpreted as a code block, not an object literal. Thus, your {"d":[1,2,3]} is not a valid script and would not be executed by the browser. Just try it :)
– fletomMar 2 '12 at 18:16